Data Protection
Let’s jump in and learn:
Data Protection vs. Data Privacy
There is considerable confusion about data protection vs. data privacy and the differences between the two. While interconnected, data protection and data privacy are not synonymous.
At a high level, the distinction is that one is about how personal or sensitive data is handled, and the other is related to measures taken to secure that data. The differences between data protection and data privacy are critical to understanding and successfully managing the two highly-regulated functions.
It starts with data privacy, which focuses on collecting, using, retaining, deleting, and storing personal or sensitive data. Data privacy also covers users’ rights to and control over the use and retention of their data. In essence, data privacy is about what can be done with personal data that is collected lawfully.
Once personal or sensitive data is in hand, data protection comes into play. Data protection encompasses the tools and processes that safeguard personal and other sensitive information from unauthorized or unlawful access and use.
Data protection and data privacy rules and laws are regulated by authorities that represent countries, states, industries, and organizations. Technical teams primarily manage data protection, while data privacy is handled by experts with backgrounds in law, policymaking, and sometimes engineering.
What Is Data Protection?
Data protection is focused on securing personal and other sensitive information from unauthorized access and use based on data privacy parameters. This includes protecting personal data from any unauthorized access by third parties or internal users as well as from malicious attacks and exploitation of data.
A number of security solutions are employed for data protection to ensure that personal and sensitive data remains private and safe from breaches, leakage, loss, or corruption. Data protection methods, practices, and processes can include:
- Access control
- Activity monitoring
- Authentication with passwords and multi-factor solutions
- Encryption of data in use, at rest, and in motion
- Incident response protocols
- Network security
Data protection strategies are based on the accessibility of the data and how the data is managed. From a data protection perspective, data accessibility and data management are defined as follows:
- Data accessibility means the ability for authorized users to retrieve, modify, copy, or move data.
- Data management encompasses processes to securely collect, use, and store data, including protecting data from errors, corruption, breaches, and attacks.
What Is Data Privacy?
Under the realm of data privacy is the ability of a person to determine when, how, and to what extent their personal or sensitive information is shared with or communicated to others. Information considered under data privacy includes:
- Cookie IDs
- Driver’s license number
- Email address
- Home address
- Identification card number
- Identifier of a person’s phone
- Internet Protocol (IP) address
- Location data (e.g., the location data function on a mobile phone)
- Name and surname
Why Data Protection Is Important
- Ensures compliance with regulatory bodies’ data protection requirements
- Eliminates the risk of losing valuable business relationships by not complying with their contractual requirements for data protection
- Helps maintain brand value and protect an organization’s reputation
- Increases customer loyalty
- Can be a competitive differentiator and provide a competitive advantage
Data Protection Technologies
There are many options for and combinations of data protection solutions. Following are several commonly used data protection technologies.
Access Control
Access control is a critical technology for data protection. By restricting access to information and resources, access controls limit rights to read, edit, and remove data. These systems do this by authenticating and authorizing users to confirm their identity and approved access levels.
Three types of access controls for data protection are:
- 1. Discretionary Access Control (DAC)
The data owner determines who will have access and the privileges they will have. - 2. Role-Based Access Control (RBAC)
Access to data is based on a person’s role, with permission granted based on pre-set criteria. - 3. Mandatory Access Control (MAC)
Access controls are restricted to administrators, and individuals are not able to grant access to resources or data.
In addition, network access control supports data protection with systems that prevent unauthorized users from infiltrating networks. Network access controls can be set at granular levels, such as full access to the network, but limited access to specific data, or preventing mobile devices from accessing a network.
Anti-Virus and Anti-Malware Software
Anti-virus and anti-malware solutions provide data protection from a range of malicious software, including viruses, ransomware, worms, and trojans. These solutions also offer proactive data protection by scanning and monitoring systems and files.
Authentication and Identity Management
User authentication and identity management protect data with a number of tools, including passwords, security tokens, and biometrics (e.g., fingerprint, facial recognition, iris, palm print, retina, hand geometry, voice, signature).
Single-factor authentication uses one point of reference for user validation. In contrast, multiple-factor authentication (MFA) uses two or more steps for verification, such as using a password and a one-time password (OTP) delivered via SMS.
Another authentication tool is single sign-on (SSO), which allows users to log in to multiple applications while authenticating only once. An advantage of single sign-on is that it utilizes a central directory that controls user access to resources at a more granular level.
Blockchain
A new tool in the data protection arsenal is blockchain. Data in a blockchain is protected using cryptography to ensure that it cannot be tampered with or altered. Blockchain provides an innovative approach to data protection with a different way to store and control data.
Data Backup
Considered one of the best data protection methods, data backup is also one of the oldest. Data backups can be performed in a variety of ways, including using external USB drives, network-attached storage (NAS), storage area networks, network shares, tapes, and cloud storage.
A proven approach to using backup for data protection is following the 3-2-1 rule, which involves saving three copies of data, including the original copy. Two are local copies kept on different storage systems, and one is a backup copy that's kept off-site.
Data Encryption
Data within a network should be encrypted to maximize data protection. To be fully secured, all data states should be encrypted, including:
- Data in use
This is data that is actively being generated, viewed, updated, processed, or accessed by an application. Examples of data in use are data stored in memory, data processed by computing equipment, and data captured by an input device (e.g., keyboard) and transferred to memory. - Data in motion or data in transit
This is data that is being transmitted between applications or networks. Examples of data in motion are email attachments in transit and data traveling through web applications or collaboration platforms. - Data at rest
This is data that is not currently in use and is kept in a storage device until it is needed. Examples of data at rest are files stored on file servers, records in databases, and documents on flash drives or hard disks.
Firewall Protection
A firewall provides data protection by acting as a barrier between internal and external networks, blocking unsolicited and unwanted incoming network traffic. Firewalls also support data protection efforts by validating that malicious software or users, like ransomware attackers or cyber-attackers, do not access networks and threaten data.
Intrusion Detection and Prevention Software
Monitoring and regulating the traffic in and out of networks, performed by intrusion detection and prevention software, also provides data protection. These tools are able to proactively identify network threats and trigger the necessary responses to strengthen data protection.
Password Protection
Passwords provide a solid line of defense for data protection. Organizations should enforce stringent password policies, including the use of strong and unique passwords for different applications and tools.
Virtual Private Networks
To assure data protection when users access networks remotely, virtual private networks (VPNs) should be used. VPNs create a secure connection to the network from another endpoint or site, which keeps unauthorized users from accessing a network.
Data Protection Regulations
More often than not, data protection regulations are the driving force for data protection enhancements. Data protection regulations require organizations, businesses, and governments to safeguard individuals’ personal and sensitive information during the collection, usage, transfer, and disclosure of this data.
Already a formidable challenge to adhere to, data protection regulations continue to expand in scope and scale. Violations can result in serious fines and negative publicity related to mandatory disclosure rules. Therefore, in addition to the financial loss, non-compliant organizations risk damaging their brands and organizational reputations.
Countries around the world have legislation in place for data protection. In the United States, there is not a single data protection law, but rather a number of laws enacted at federal and state levels to protect residents’ personal and sensitive information. In addition, there are regulations put forth by industries.
Federal Data Protection Regulations
Cable Communications Act
Cable operators may not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned.
Children’s Online Privacy Protection Act (COPPA)
Designed to limit the collection and use of personal information about children (i.e., under the age of 13) by the operators of internet services and websites.
Driver’s Privacy Protection Act (DPPA)
Any state’s Department of Motor Vehicle (DMV) officers, employees, or contractors are prohibited from releasing or using personal information about an individual obtained by the department in connection with a motor vehicle record.
Fair and Accurate Credit Transaction Act (FACTA)
Restricts the use of information that has a bearing on an individual’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living insofar as it is used to determine eligibility for credit, employment, or insurance.
Federal Trade Commission Act
This grants the Federal Trade Commission the power to enforce federal privacy and data protection regulations.
Family Education Rights Privacy Act (FERPA)
This gives parents the right to access to their children’s education records, the right to seek to have the records amended, and control over the disclosure of personally identifiable information from the education records.
Gramm-Leach-Bliley Act (GLBA)
This governs data protection for personal information held by banks, insurance companies, and other companies in the financial services sector.
Health Insurance Portability and Accountability Act (HIPAA)
Includes data protection for information held by a covered entity that concerns health status, delivery of healthcare, or payment for healthcare that can be linked to an individual.
Video Privacy Protection Act (VPPA)
This restricts the disclosure of individuals’ information rental or sales records for videos or similar audio-visual materials, including online streaming.
State Data Protection Legislation
Every state has adopted data protection legislation that applies to certain types of personal information about its residents. In most cases, organizations must comply even if they do not have a physical presence in the state. These laws apply to individuals’ information that is collected, held, transferred, or processed.
States with stringent data protection laws include California with the California Privacy Rights Act (CPRA), Illinois with its Biometric Information Privacy Act (BIPA), New York with the SHIELD Act, and the Commonwealth of Virginia, with its Consumer Data Protection Act (VCDPA).
Industry-Specific Data Protection Legislation
Payment Card Industry Data Security Standard (PCI-DSS)
This regulation codifies data protection rules set forth by major credit card companies for businesses that process, store, or transmit payment card data.
Global Data Protection Legislation
Most countries worldwide, including those classified as less economically-developed, have enacted data protection legislation. Examples include:
- Australia
Australia Privacy Act - Brazil
Lei Geral de Proteção de Dados (LGPD) - Canada
Digital Charter Implementation Act (DCIA)
Personal Information Protection and Electronic Documents Act (PIPEDA) - China
Personal Information Protection Law (PIPL) - Democratic Republic of Congo
Law No. 29-2019 on the protection of personal data - European Union
General Data Protection Regulation - South Africa
Protection of personal information (POPI) - United Kingdom
Data Protection Act (DPA)
Compliance
Many jurisdictions enforce various state and international regulations. In the United States, the Federal Trade Commission (FTC) has broad authority to enforce data protection regulations.
However, data protection laws specific to industries (e.g., HIPAA, GLBA, FACTA, FERPA) are enforced by other agencies, including the Office of the Comptroller of Currency (OCC), the Department of Health and Human Services (HHS), the Federal Communications Commission (FCC), the Securities and Exchange Commission (SEC), the Consumer Financial Protection Bureau (CRPB), and the Department of Commerce.
The first federal-style data privacy legislation at a state level in the US is the California Privacy Protection Agency (CPPA).
Challenges to Data Protection
- Gaps between data protection solutions
- Hard-to-track data hidden in encrypted traffic
- Infringement on user experience
- Limited visibility and context for connected to data usage
- Occurrences of compliance violations across clouds
Data Protection to Enable Data Privacy with Multiple Benefits
There are a number of solutions involved in effectively implementing and maintaining data protection across an organization. It can be resource-intensive, both from a monetary and staffing perspective. However, as with so many regulation-driven endeavors, the return on investment is always favorable, because the benefits extend far beyond merely meeting compliance requirements.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 14th February 2022